On Saturday, July 17, 2004, 3:30:59 PM, Frank Ellermann wrote:
Jeff Chan wrote:
It sounds like a spammer is abusing spamarrest.com's services. Is that correct?
No. The spammer uses one of his zombies (probably), some arbitrary address as "From", and another arbitrary address as "To". The "To" address happens to be a customer of spamarrest, and the "From" address in this example was...
drussell_tb AT xyzzy.claranet.de
Of course that's a bogus address, the spammers simply combine local parts like "drussel" plus junk like "_tb" with catch-all domains like xyzzy.claranet.de (in fact only "my" vanity host).
The spam is then sent to the spamarrest address (in this example From: drussel_tb@xyzzy To: anneliese@spamarrest)
Spamarrrest doesn't know drussel_tb@xyzzy and therefore it sends a challenge to this address (= me). Because I'm not planning to sort Anneliese's spam I report this challenge via SC.
that should be reported back to spamarrest as abuse.
Exactly, that's what I do (using SC, several manual complaints had no effect at all).
Or is spamarrest *originating* these messages purely themselves?
No, that's very unlikely.
OK That's pretty much how I was reading things. I don't think we should list spamarrest because there could be legitimate users of it and we don't want messages that happen to mention spamarrest as that could easily lead to false positives. Remember that our standards of inclusion need to be higher than for personal use, regular sender domain or IP RBLs, etc. because the effects of URI blocking are a lot more widespread than the effects of blocking one zombied PC somewhere.
The quick answer is that spamarrest should authenticate it's senders, perhaps in the same way as they authenticate their recipients. If they're not doing something like that, then their design is broken, but having a broken design is not enough reason to list them.
Jeff C.
Jeff C.